From: djm@openbsd.org <djm@openbsd.org>
Date: Sun, 31 May 2026 04:51:45 +0000 (+0000)
Subject: upstream: Fix two separate one-byte out-of-cound reads
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=073faa6beceea162eeeb7963c7352a6c851e507a;p=thirdparty%2Fopenssh-portable.git

upstream: Fix two separate one-byte out-of-cound reads

1) if a server sent an empty reply to a SSH2_FXP_REALPATH request
2) if a batch command used the full 2048 byte buffer but ended in a
  literal backslash character

Both reported by Zhenpeng (Leo) Lin from depthfirst

ok markus@

OpenBSD-Commit-ID: d1ccc1f5a6eb109065ce8a552fea8e502381ce59
---

diff --git a/sftp.c b/sftp.c
index eebb166e8..0ab9206c2 100644
--- a/sftp.c
+++ b/sftp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sftp.c,v 1.250 2026/02/11 17:01:34 dtucker Exp $ */
+/* $OpenBSD: sftp.c,v 1.251 2026/05/31 04:51:45 djm Exp $ */
 /*
  * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
  *
@@ -369,10 +369,9 @@ path_strip(const char *path, const char *strip)
 {
 	size_t len;
 
-	if (strip == NULL)
+	if (strip == NULL || (len = strlen(strip)) == 0)
 		return (xstrdup(path));
 
-	len = strlen(strip);
 	if (strncmp(path, strip, len) == 0) {
 		if (strip[len - 1] != '/' && path[len] == '/')
 			len++;
@@ -1283,6 +1282,8 @@ makeargv(const char *arg, int *argcp, int sloppy, char *lastquote,
 					/* Unescape everything */
 					/* XXX support \n and friends? */
 					i++;
+					if (arg[i] == '\0')
+						goto early_nul;
 					argvs[j++] = arg[i];
 				}
 			}
@@ -1293,6 +1294,7 @@ makeargv(const char *arg, int *argcp, int sloppy, char *lastquote,
 				goto string_done;
 		} else if (arg[i] == '\0') {
 			if (state == MA_SQUOTE || state == MA_DQUOTE) {
+ early_nul:
 				if (sloppy) {
 					state = MA_UNQUOTED;
 					if (terminated != NULL)